[Bro] Fw: "services" variable referenced in known-services.bro

Earl Eiland earl.eiland at root9b.com
Mon Jun 8 04:36:45 PDT 2015

Unfortunately, we don't have permission to share our test data.  However, it is an industrial control system (ICS).  Most of the traffic is MODBUS, although we expect to be deploying the detector on ICSs using DNP3 and IEC 61850.  In addition to MODBUS, our test data also has some TDS and HTTP traffic, and of course, the usual network management traffic (DNS, ICMP, DHCP, etc.).

ICS traffic tends to be quite regular.  Our goal is to develop a detector that can flag a conversation using an anomalous communication protocol.

Best Regards,

Earl Eiland,
Sr. Cyber Security Engineer,
Emerging Technologies, root9B,
San Antonio, Texas

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity named.  If you are not the named addressee you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.  Please notify the sender immediately by email if you received this email in error and delete this email from your system. Any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of root9B LLC.​

From: Seth Hall <seth at icir.org>
Sent: Friday, June 5, 2015 1:59 PM
To: Earl Eiland
Cc: bro at bro.org
Subject: Re: [Bro] "services" variable referenced in known-services.bro

> On Jun 5, 2015, at 2:46 PM, Earl Eiland <earl.eiland at root9b.com> wrote:
> That helps a lot.  When I run DPD, the various logs show that traffic is being correctly parsed.  It seems that the information should appear in conn.log's service column, particularly when DPD is invoked from the command line.  This, however, is not the case.   What am I overlooking?

Could you show a little more concretely how you’re running Bro?  Ideally you could provide a pcap that shows what you’re seeing although I understand if you’re unable to do that.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list